Tentative, but it is more correct and made miri happier.

Differential Revision: https://phabricator.services.mozilla.com/D183625

ThinArc is way more complex than it needs to be, and miri complains
about various things when using the selectors crate with it.

This doesn't fully fix miri, but it gets much closer. ThinArc becomes
just an alias for Arc<HeaderSlice<>>. This allows to simplify the
bindings to ArcSlice too, since now the existing Arc<> code can just be
used.

Differential Revision: https://phabricator.services.mozilla.com/D183011

Differential Revision: https://phabricator.services.mozilla.com/D183303

Differential Revision: https://phabricator.services.mozilla.com/D183509

Bug 1843847. Clear nsDisplayListBuilder::mCurrentContainerASR at the end of a paint. r=mstange, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D183741

No bug - Tagging 5d2ffa4fb7d07a9afa9ecb9f2f9619c4e72fb5c9 with FIREFOX_115_0_3esr_RELEASE a=release CLOSED TREE DONTBUILD

No bug - Tagging 5d2ffa4fb7d07a9afa9ecb9f2f9619c4e72fb5c9 with FIREFOX_115_0_3esr_BUILD1 a=release CLOSED TREE DONTBUILD

Bug 1843086: Line participants use block start ascent, instead of not-yet stored baseline. r=emilio, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D183432

Bug 1842792, disable speculative load of modulepreload if parser has seen importmap, r=jonco,allstarschh,peterv, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D183421

Bug 1842437 - re-apply the YouTube webcompat intervention to fix back-forward cache navigation issues; r=denschub,webcompat-reviewers, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D183746

Bug 1831467 - Avoid more UB from transmuting a ref to a ref with interior mutability. r=emilio, a=dsmith

aka one specific change in LLVM 16 introducing UB in Rust, take 3? 4?

This time, we have multiple types like:
  #[xpcom(implement(nsISomething))]
  struct Foo {
      foo: RefCell<Something>,
  }

  impl Foo {
      fn from_interface(obj: &nsISomething) -> &Self {
          unsafe { ::std::mem::transmute(obj) }
      }
  }

At first glance, this looks innocuous. But the problem is that
nsISomething, as far as LLVM is informed by Rust, is readonly,
but Foo, via the RefCell, has interious mutability.

LLVM ends up assuming that any mutability that happens to that returned
&Foo can't happen, and removes it.

This is yet another case where https://github.com/rust-lang/rust/issues/111229
would save our feet from this footgun LLVM 16 added and that the rust
compiler doesn't help us prevent the least.

Differential Revision: https://phabricator.services.mozilla.com/D183569
***
Bug 1831467 fix comment a=dsmith

Bug 1838792: Add TryAddStoredObject to DrawEventRecorderPrivate and use in DrawTargetRecording. r=aosmond, a=dsmith

This means we can do a combination of HasStoredObject and AddStoredObject with
only one call to ProcessPendingDeletions, which uses locking.

Differential Revision: https://phabricator.services.mozilla.com/D181963

When the code was originally added in bug 18426589, it was to use non-atomic
refcounting across multiple threads due to some invariants preventing
concurrent access. That was changed in bug 1607762 to fix a race issue.

We should be able to switch to using the macros now, which will simplify the
code here a bit.

Depends on D183203

Differential Revision: https://phabricator.services.mozilla.com/D183204

Bug 1832715 - Allow multistage spotlight OPEN_URL actions to include UTM params. r=omc-reviewers,negin, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D177848

Bug 1840792 - Be more resilient and timely when dealing with database corruption during Chrome browser import. r=kpatenio, a=dsmith

This patch does two things:

1. It makes it so that a corrupt database doesn't result in several retries to
   requery the database, as it's extremely unlikely that a corrupt database is
   going to somehow get repaired in the interim.
2. It makes it so that if any Chrome-based browser resource fails to be acquired
   properly, it still allows other resources from the same (and other!) profiles
   to be imported.

Differential Revision: https://phabricator.services.mozilla.com/D182737

Bug 1842949 - Delegate IPC call to a main-thread runnable if necessary. r=gfx-reviewers,lsalzman,a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D183377

Differential Revision: https://phabricator.services.mozilla.com/D183249

Original Revision: https://phabricator.services.mozilla.com/D182866

Differential Revision: https://phabricator.services.mozilla.com/D183447

which will allow a GtkIMContext to outlive the IMContextWrapper.

Original Revision: https://phabricator.services.mozilla.com/D182865

Differential Revision: https://phabricator.services.mozilla.com/D183446

Bug 1842933 - Use NEON_FLAGS instead of VPX_ASFLAGS for libaom neon code. r=firefox-build-system-reviewers,andi a=RyanVM

Back when libaom was added, VPX_ASFLAGS was more or less the only
variable that had the right set of flags for NEON support, which
justified its use. However, it's not set when building against system
libvpx.

Bug 1791482 improved things, though, and VPX_ASFLAGS, as far as NEON is
concerned, is now only re-exporting NEON_FLAGS, with the same caveat that
VPX_ASFLAGS is empty when building against system libvpx.

So we should use NEON_FLAGS instead of VPX_ASFLAGS.

Differential Revision: https://phabricator.services.mozilla.com/D183310

Bug 1841040 - Remove over-alignment from GCMarker and Nursery, r=spidermonkey-reviewers,jonco a=RyanVM

js_new<T> cannot guarantee the alignment if T is over-aligned, and this
issue is not trivial to fix (blocked by Bug 1842582).

Add a static assert to detect the attempt using js_new<T> for
over-aligned T, and remove the problematic alignas() attributes as a
short-term fix.

Differential Revision: https://phabricator.services.mozilla.com/D182546

Differential Revision: https://phabricator.services.mozilla.com/D183525

Depends on D183524

Differential Revision: https://phabricator.services.mozilla.com/D183524

Depends on D183523

Differential Revision: https://phabricator.services.mozilla.com/D183523

Differential Revision: https://phabricator.services.mozilla.com/D183486

Bug 1840701 - [marionette] TcpTransport:receive needs to return immediately when socket was closed. r=webdriver-reviewers,jgraham, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D182622

Differential Revision: https://phabricator.services.mozilla.com/D183256

Bug 1841216: Fire a11y description change event when aria-description is changed. r=nlapre, a=dsmith

Differential Revision: https://phabricator.services.mozilla.com/D182544

Bug 1842325. Ensure that WebRenderLayerManager::mTarget is always cleared after a transaction. r=gfx-reviewers,lsalzman, a=dsmith

The scope exit in WebRenderLayerManager::EndTransactionWithoutLayer isn't necessary because there are no early returns in that function, but I added it just in case an early return is added in the future.

The assert in nsDisplayList::PaintRoot currently holds because of how the current code is, but these changes will mean EndEmptyTransaction will handle that case as far as clearing mTarget is concerned.

Differential Revision: https://phabricator.services.mozilla.com/D183069

Bug 1830070: Correctly apply RFP Checks to about: documents and deal with pop-ups (ESR) r=smaug,emilio, a=dsmith


This patch has three parts to it, in addition to the many tests
it adds:

1) Use NS_IsContentAccessibleAboutURI to ensure that only safe
   about: documents get exempted.

   With this change, we will no longer allow about:blank or
   about:srcdoc to be exempted base on URI.  If they are to be
   exempted, it will need to be base on other information.

2) In Document::RecomputeResistFingerprinting we previously
   deferred to a Parent Document if we had one, and either the
   principals matched or we were a null principal.

   We will do the same thing, except we will also defer to our
   opener as well as the parent document.  Now about:blank
   documents can be exempted.

   However, this deferral only works if the opener is
   same-process. For cross-process openers, we make the decision
   ourselves.

We can make the wrong decision though. CookieJarSettings is
inherited through iframes but it is _not_ inherited through popups.
(Yet. There's some discussion there, but it's not implemented.)

Conceptually; however, we do want CJS to inherit, and we do want
RFP to inherit as well.  Because a popup can collude with its
opener to bypass RFP and Storage restrictions, we should propagate
the CJS information.

This does lead to an unusual situation: if you have exempted
b.com, and a.com (which is not exempted) creates a popup for b.com
then that popup will not be exempted.  But an open tab for b.com
would be.  And it might be hard to tell those two apart, or why
they behave differently.

The third part of the patch:

3) In LoadInfo we want to populate information down from the
   opener to the popup.  This is needed because otherwise a
   cross-origin popup will not defer to its opener (because in
   Fission they're in different processes) and will decide if
   it should be exempted itself. It's the CookieJarSettings
   object that prevents the cross-origin document from thinking
   it should be exempted - CJS tells it 'No, you're a child
   (either a subdocument or a popup) and if I say you don't get
   an exemption, you don't.'


Finally, there is one more caveat: we can only defer to a parent
document or opener if it still exists.  A popup may outlive its
opener. If that happens, and something induces a call to
RecomputeResistFingerprinting, then (e.g.) an about:blank popup
may lose an RFP exemption that it had received from its parent.
This isn't expected to happen in practice -
RecomputeResistFingerprinting is only called on document creation
and pref changes I believe.

It is not possible for a popup to _gain_ an exemption though,
because even if the parent document is gone, the CJS lives on and
restricts it.

Differential Revision: https://phabricator.services.mozilla.com/D183189

Bug 1782561 - Make sure we can evict cookies while processing AddCookie r=necko-reviewers,cookie-reviewers,jesup,edgul, a=RyanVM

Differential Revision: https://phabricator.services.mozilla.com/D181744

Bug 1782561 - Do not use getter_AddRefs to pass object to function r=necko-reviewers,cookie-reviewers,jesup,edgul, a=RyanVM

When using getter_AddRefs it actually nulls out the pointer before
passing it to the function, so in this case a new list was being
created with every call to CreateOrUpdatePurgeList.
Instead, we can just pass a reference to the `nsCOMPtr<nsIArray>&`

Differential Revision: https://phabricator.services.mozilla.com/D181743

Differential Revision: https://phabricator.services.mozilla.com/D182324

Differential Revision: https://phabricator.services.mozilla.com/D181779

Differential Revision: https://phabricator.services.mozilla.com/D182573

I'm pretty sure there are other theoretical problems in the code,
notably when a single section is larger than 4GB, but by the time
we reach that limit, bug 1839740 will have been fixed.

Differential Revision: https://phabricator.services.mozilla.com/D182447

Differential Revision: https://phabricator.services.mozilla.com/D183151

Original Revision: https://phabricator.services.mozilla.com/D182711

Differential Revision: https://phabricator.services.mozilla.com/D183237

No bug - Tagging 872b5aae170ffa755f89d0c6a9ebc380af677e9a with FIREFOX_115_0_2esr_RELEASE a=release CLOSED TREE DONTBUILD